Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    LDAP

    campusM Logo wh bkg sm1.png

    Product Information

    Category Authentication
    Sub-category  
    Website  
    Product version  
    Documentation  
    API Documentation  

    About Lightweight Directory Access Protocol (LDAP)

    The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

    Integration Overview

    campusM integrates with LDAP to authenticate user access to the campusM provided iOS and Android apps as well as the web portal.
    Below is a summary of the login process:

    1. User enters their credentials in the app or web portal
    2. The app makes a request to the login API service on the campusM Connect Layer over a secured HTTPS connection
    3. The Connect Layer attempts to bind with the institution’s AD/LDAP server using a service account username and password. This allows the Connect Layer to query the LDAP directory for the user logging into the app
    4. Assuming the bind is successful and the user is located in the directory matching the credentials entered, the first name, last name and email address of the user are then passed from LDAP back to the Connect Layer and to the app which authenticates the user 
    5. In case of any error (e.g. if the service account username/password are incorrect), a 403 ‘Not authorized’ messaged is returned to the app informing the user their credentials are invalid

    On the iOS and Android apps, the credentials are held in encrypted storage (keychain for Android and keystore for iOS).

    Integration Method

    • LDAP

    Prerequisites 

    There are several prerequisites to the campusM integration with LDAP:
    Prerequisite Additional Information
    Provide the LDAP/Active Directory Hostname (e.g. ldaps://ad.XXX.edu:636) A signed SSL certificate (by a valid Certificate Authority) is required to enable the Connect Layer to communicate with the LDAPS server. Self-signed certificates are not recommended
    Ensure that the LDAP server is available for calls from the Connect Layer server(s) The integration of campusM with LDAP requires the Connect Layer to call the service. This step ensures that LDAP servers are set up to allow calls from the Connect Layer server(s) and the Connect Layer hostname was added to the accepted list of hostnames in LDAP
    Provide the Base DN (Distinguished Name) Location in the LDAP tree for individuals with access to the app, e.g. ou=students, o = XXX
    Provide the LDAP attribute names for the required attributes (Firstname, Lastname, Email address, Username / UPN)  
    Provide the Service Account full DN (e.g. cn=svc_campusM, ou =users, o =Ex Libris) Allows Ex Libris to bind to your AD/LDAP account and perform a search under the Base DN
    Provide the Service Account password  
    Provide a minimum of three (3) end to end Test accounts for verifying the authentication process works as expected  
    To ensure the LDAP server can handle the university usage (load), please use the following table as guidelines to ensure stability of the login service:
    FTE (Institution Size) Required Average Peak load (login requests / second)
    1 - 1,000 100
    1,000 - 10,000 200
    10,000 - 50,000 400
    50,000+ 700

     

    User Experience

    Users will be able to login using their university username and password in the iOS and Android apps as well as on the web portal.

    Screenshots

    LDAP - Screenshot.png

    Sample Requests

    N/A

    Offline Functionality

    Not supported.

    Configuration Options

    N/A

    Suggested Testing Guidelines

    The following acceptance criteria is recommend to be used as part of the testing and approval process:
    • User can login to campusM web portal using their institution credentials
    • User can login to campusM iOS and Android apps using their institution credentials
    • Was this article helpful?